Linux Networking - How to dynamically filter network packets within short time range

Aeternal

10/16/22, 7:14 PM

I am trying to find a solution to dynamically filter network packets with strict timing constraints and based on a IP list on a Linux Operating System

I cannot install additional software of modify kernel or libraries to add modules to iptables for example

I have an equipment that receive too much network packet and I need to find a way to filter network packets dynamically with a 200ms cycle.

For example, let's say I have 3 IPs (192.168.0.1,192.168.0.2,192.168.0.3) I would need to dynamically change every 200ms the iptable configuration to block the 1st IP packets for the 1st 200ms cycle, then block the second IP packets for the 2nd 200ms cycle, so on and so forth

Would anyone know any efficient solution that take into accounts this stringent time constraint ? My first idea is to dynamically change the iptables configuration but I'm concerned about the performance and the timing,

Would anyone have performed the same kind of work or knows a solution already implemented and working ?

Thanks a lot for your help,

0 + 5

networking

linux

iptables

filtering

Håkan Lindqvist

10/16/22, 7:26 PM

What is the problem that this proposed solution is intended to solve? It seems pretty strange and likely to be an [XY problem](https://en.wikipedia.org/wiki/XY_problem). That said, I have never done what the question asks for in particular but with regard to dynamically changing addresses, I would say [`ipset`](https://ipset.netfilter.org/ipset.man.html) may be helpful rather than changing the iptables rules.

Aeternal

10/16/22, 7:31 PM

Thanks a lot for your comment ! I did not know ipset and will have a look to it This solution would be temporary and aims to "filter" network packets to reduce the load on the equipment cpu. It is presently receiving too much messages and some of them are not intended to this equipment. However I cannot perform any l7 filtering because I lack the proper binaries or iptables modules in the kernel

vidarlo

10/16/22, 8:01 PM

Sounds like you rather want to limit throughput?

Aeternal

10/16/22, 9:58 PM

After some thinking, I think as well that rate-limiter using iptables on a per-IP basis is the best and easiest solution to implement

asmath

10/17/22, 4:46 AM

correct you can simply use limit option in this case.(-m limit --limit count/minute --limit-burst ouny)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Linux Networking - How to dynamically filter network packets within short time range

TH: Linux Networking - วิธีกรองแพ็กเก็ตเครือข่ายแบบไดนามิกภายในช่วงเวลาสั้นๆ

RO: Linux Networking - Cum se filtrează în mod dinamic pachetele de rețea într-un interval scurt de timp

RU: Linux Networking - Как динамически фильтровать сетевые пакеты в течение короткого промежутка времени

VI: Mạng Linux - Cách lọc động các gói mạng trong phạm vi thời gian ngắn

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.